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Abstract — In this paper we propose a feedback scheme for 
transmitting secret messages between two legitimate parties, over 
an eavesdropped communication link. Relative to Wyner's tradi- 
tional encoding scheme [1], our feedback-based encoding often 
yields larger rate-equivocation regions and achievable secrecy 
rates. More importantly, by exploiting the channel randomness 
inherent in the feedback channels, our scheme achieves a strictly 
positive secrecy rate even when the eavesdropper's channel is 
less noisy than the legitimate receiver's channel. All channels are 
modeled as binary and symmetric (BSC). We demonstrate the 
versatility of our feedback-based encoding method by using it in 
three different configurations : the stand-alone configuration, the 
mixed configuration (when it combines with Wyner's scheme [1]), 
and the reversed configuration. Depending on the channel con- 
ditions, significant improvements over Wyner's secrecy capacity 
can be observed in all configurations. 

Index Terms — Eavesdropper Channel, Secrecy Capacity, Bi- 
nary Symmetric Channels, Feedback. 

I. Introduction 

In the context of a broadcast channel with confidential 
messages, it was shown in [2] that a strictly positive se- 
crecy capacity cannot be achieved for any arbitrary pair of 
receiver/eavesdropper channels. In particular, [3] proves that 
whenever the eavesdropper's channel is less noisy than the 
receiver's channel, no secret messages can be exchanged 
between the legitimate transmitter and receiver by the con- 
ventional method of [1]. 

This motivated several works [4], [5], [6], [7], [8] to focus 
on alternative methods of achieving positive secrecy rates even 
when the legitimate receiver has a worse channel than the 
eavesdropper. All these works exploit the idea of feedback 
channels. 

The simple and interesting method of [4] is based on making 
the receiver jam the eavesdropper. The receiver can subtract 
its own jamming signal from the received signal, while the 
wiretapper is kept totally ignorant of the confidential infor- 
mation flowing between the legitimate users. The drawback 
of this approach is that the receiver has to function in full 
duplex mode. Although an extension to half-duplex mode is 
presented in [4] for binary symmetric channels, it relies on the 
assumption that the transmission of symbol is equivalent to 
the absence of a physical signal. We believe that under this 
assumption, the binary symmetric channel is no longer valid 
as a simplified model for a physical wireless channel. 
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More recently, [7], [8] both use a secret key to enhance 
the secrecy throughput of Wyner's scheme. In [7] the secret 
key is communicated through an error-free secure channel, 
while in [8] it is transmitted using Wyner's scheme on the 
feedback channels (and thus its secrecy is subject to Alice's 
feedback channel being better than Eve's). An interesting idea 
of [8] is to use time-sharing on the feedback link. Part of 
the feedback transmission is used to generate the secret key, 
while the remaining part is used to transmit random symbols 
with the purpose of providing the "common randomness" 
necessary for our secrecy encoding scheme described in this 
paper. A mixed secrecy encoding strategy inspired by [9] is 
proposed in [8]. The main idea behind this strategy is to 
simultaneously transmit a combination of secret messages, 
encoded by different methods. However, while a message 
encrypted by a secret key can be transmitted at the same time 
as a secret message encoded by Wyner's scheme, the additional 
secret message encrypted with the use of a random feedback 
sequence does not maintain secrecy. The exact reasons why 
both Section IV.B. of [9] and the proposed schemes of [8] 
are incorrect will be revealed in Section [IV] None of the 
previously mentioned works considers the impact of feedback 
transmission on the overall bandwidth use. This drawback 
becomes critical in [8], where it results in the "secrecy rates" 
bearing no physical meaning, as will be shown in Appendix 

El 

The concept of common randomness is introduced in [5], 
[6]. Such randomness can be acquired if all terminals attempt 
to decode (note that a necessary condition is that the eaves- 
dropper cannot decode perfectly) a sequence of random bits, as 
for example a data stream transmitted by a satellite at very low 
signal to noise ratio (SNR) [5]. Both [5] and [6] study the case 
when the legitimate users agree on a secret key by employing 
repetitive protocols, which are not efficient for regular data 
transmission. 

The idea developed in this paper is inspired by a particular 
case in [5]. As an example and motivation for the feedback 
approach to secrecy in the classical Alice (transmitter) - 
Bob (receiver) - Eve (eavesdropper) scenario, [5] develops a 
scheme where the common randomness is not received from 
some external source (like a satellite), but introduced by Alice 
herself, and functions as a secret key which allows Bob to 
share a secret message with Alice over a public, error free 
channel. Our model changes the roles of Alice and Bob. 
Although at some point we make use of the same concept 
of public error free channel, we provide techniques that create 
such a channel, and show how these techniques impact the 
overall secrecy rate. Our results explicitly count the loss in 
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the total rate due to the transmission of feedback. 

While sharing functional similarities with the well-known 
one-time pad [10] encryption scheme, our approach is radi- 
cally different in that it requires no secret key to be shared by 
the legitimate parties before the initiation of the transmission 
protocol (except maybe a small secret key that guarantees au- 
thenticity as in [5]). Instead it exploits the channel randomness 
as means of confusing the eavesdropper. 

Our contributions can be summarized as follows: 

> We show how an adaptation of Maurer's scheme [5] 
can be used to achieve a non-empty rate-equivocation 
region and hence a strictly positive secrecy rate over bi- 
nary symmetric channels (BSCs) even when the forward 
channel between Alice and Eve is less noisy than the 
forward channel between Alice and Bob, regardless of 
the feedback channel quality between Bob and Alice or 
Bob and Eve. 

• Our results also indicate how the forward channel capac- 
ities scale the overall secrecy rate and what penalties are 
incurred by the transmission of feedback sequences. 

• We show that even if the forward channel from Alice to 
Bob is less noisy than the channel from Alice to Eve, 
feedback can sometimes further improve the achievable 
rate-equivocation region obtained using Wyner's classical 
method [1]. This is done by dividing the transmission 
over the forward channel into two parts, as in [2]. Thus, 
we transmit a secret message at a rate less than the 
secrecy capacity [1], and allow room for an additional 
common message, which carries information "encrypted" 
with the help of the feedback sequence. The optimal way 
of splitting the forward message rate is found numerically. 

> We prove that, for a two-user broadcast channel with both 
channels binary and symmetric, the optimal auxiliary 
random variable of [2] needed to encode both a secret 
and a common message into the transmitted sequence 
has an alphabet of size not more than three. Moreover, 
we conjecture that the optimal alphabet is binary. If 
the auxiliary random variable is considered to be binary 
(whether or not this results in loss of optimality), we 
prove that the optimal auxiliary channel [2] that links it to 
the input of the physical channel is binary and symmetric. 

• Finally, we take our scheme a step further and implement 
it on the reverse channel (from Bob to Alice, rather than 
from Alice to Bob), in order to generate a secret key. 
Alice uses this key as a one-time pad for the transmission 
of a secret message. 

The sequel is organized into seven sections. Sections III- Al 
and III-BI describe the kernel of our scheme. Our adaptation 
of Maurer's idea [5], including the channel model and the 
transmission protocol are presented in Section IH-AI under 
the assumption that the forward channels are error free. The 
public error free channel and the overall rate-equivocation 
region are discussed in Section III-BI for a general value of 
the forwarding rate. Section [ill] deals with the special case 
when the eavesdropper's forward channel is less noisy than 
the legitimate receiver's forward channel, while section [TV] 
extends the model to the case when the eavesdropper's forward 



channel is worse than the legitimate receiver's. An alternative 
scheme, which reverses our protocol to generate a secret key, 
is provided in Section [V] Finally, conclusions are drawn in 
Section |VT] 

II. The Kernel 
A. The Unsealed Rates 

Consider the classical Alice (transmitter) - Bob (receiver) - 
Eve (eavesdropper) scenario with binary symmetric channels 
(BSCs) between any pair of users. We assume that Eve's only 
form of interfering with the transmission is eavesdropping. Al- 
though our present treatment is restrictive to binary channels, 
the principles and results therein can be easily extended to 
more complex models. 

The proposed model is depicted in Figure Q] The transmitter 
(Alice) wants to communicate the outputs of a source 5? of 
entropy H s to the legitimate receiver (Bob), and maintain some 
level of secrecy towards the wiretapper (Eve). The channel 
A — > B from Alice to Bob is a BSC characterized by its 
crossover probability e/, while the binary symmetric channel 
A — > E from Alice to Eve is characterized by the crossover 
probability 5 f . Similarly, the feedback BSCs B — > A (Bob to 
Alice) and B — > E (Bob to Eve) are characterized by their 
crossover probabilities eb and 5b, respectively. 

The transmission protocol associated with the channel 
model in Figure Q] is an adaptation of Maurer's scheme [5] 
and is described as follows. Bob feeds back a sequence x of 
n bits representing the independent realizations of a Bernoulli 
random variable X with expectation E[X] = 0.5. Since 
the bits are independent and identically distributed (i.i.d), 
Alice's and Eve's estimate of each bit should be based solely 
on the corresponding received bit. Therefore, the bit error 
probabilities that affect Alice's and Eve's decoding are and 
5b respectively. Denote the feedback sequences received by 
Alice and Eve as y and z, respectively. 

At this point, our feedback-based protocol assumes that 
Alice can share information with both Bob and Eve through an 
error free public channel, just like in [5]. The implications of 
achieving such an error free channel are discussed in Section 

Since an error free public channel cannot protect Alice's 
information from the eavesdropper Eve, the protocol has to 
artificially create a pair of channels that are adequate for the 
transmission of secret messages. 

For this purpose, if Alice needs to send an n-dimensional 
sequence v to Bob, she first computes v©y, where © denotes 
addition mod 2, and feeds this signal through the error free 
channel. Since x is a sequence of i.i.d. symbols with a uniform 
distribution over {0, 1}, the same property holds for the BSC 
output y and, by the Crypto lemmd^ [11], [4], for v © y. 

Both Bob and Eve receive v © y with no errors. In order to 
obtain the original message v, the optimal strategy for Bob is 

'Special care should be applied when using the Crypto lemma [11]. For 
instance, if C is a compact Abelian group and X and E are random variables 
over C such that X is independent of E and uniformly distributed over C, 
then X + E is uniform and independent of E. However, E is not independent 
of (X,X + E). 
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Fig. 1. System model. 



to compute v©y©x, while Eve's best strategy is to compute 
v®y ©z [5]. 

As a consequence, a bit error probability of eb — £b will 
affect Bob's estimate of v, while a bit error probability of 
£e = £b + $b — 2eb5b will affect Eve's estimate [5]. The result 
is an equivalent system in which Eve's channel is a degraded 
version of Bob's channel, and which is therefore adequate 
for the transmission of secret messages from Alice to Bob. 
In other words, standard secrecy encoding can be performed 
for this equivalent system so that the n-sequence v carries a 
secret message s fcl (which will hence forth be represented as 
a sequence of fci source symbols). A total transmission rate 
arbitrarily close to 

R t , u = 1 - h(e b ) (1) 

can be achieved as n — > oo, where h(-) represents the binary 
entropy function h(x) = — x\og 2 (x) — (1 — x) log 2 (l — x). 

We shall now restate some of the definitions in [1] and then 
show how Theorem 2 of [1] can be readily applied to our 
scenario. 

Definition 1: The equivocation of the source 5? of entropy 
H s at Eve is defined as: 

A = ±-H( S k \w™), (2) 

where the sequence s k of k source symbols are encoded into 
a codeword of length AI which is transmitted over the 
broadcast channel, and received by Eve as w^ 1 . 

Definition 2: The rate-equivocation pair (R, d) is achiev- 
able if for any v > there exists an (M, k,A,P e ) code as 
defined in [1] such that: 

*2j>->R-v, A> d — v, ~P~ e <v (3) 

where P e is the average error probability in decoding for s fe 
at Bob. 

Theorem 3: (Theorem 2 from [1 ]) A rate-equivocation pair 
(R, d) is achievable for Wyner's scheme with discrete memo- 
ryless symmetric channels if and only if 

0<R<C M , 0<d<H s , Rd<H s C s , (4) 



where C s = Cm — Cmw is the secrecy capacity (representing 
the maximum rate at which the outputs of the source 5^ can be 
conveyed from Alice to Bob, while remaining perfectly secret 
to Eve) achievable by Wyner's scheme in this case, Cm is the 
capacity of Bob's channel, and Cmw is the capacity of Eve's 
channel. 

The following corollary, which will prove useful in the 
sequel, follows directly from Theorem [3] and Definition [2] 

Corollary 4: If (R, d) is an achievable rate-equivocation 
pair, then as M — > oo the number of secret source symbols k 
that can be encoded into the M -sequence w^ 1 can approach 
the upper-bound 



Proof: By Theorem [3] and Definition [2] we have ^f- > 
R — v, which implies -|j > jj-(Rd — ud), and taking the 
limit Rd = H S C S we get |j > C s - jf. But according to 
Theorem [3] we have d < H s , hence, as v — > 0, if we pick 
a large enough M we can obtain jf — > C s , or equivalently 

If we apply Theorem [3] to the pair of equivalent chan- 
nels derived above, we can conclude that there exists a 
(n, fci, Ai,P e ,i) code satisfying > R — v, A x > d — v, 
and RT[ < v if and only if < R < R t , u , < d < H s , 
Rd < H S R S U , where R S;U is the maximum achievable secrecy 
rate of [1], [2]: 

R s ,u = h( e b + $b - 2e b 6b) - h(e b ) . (6) 

Several comments are in order. First, note that R s u > - 
and therefore the rate-equivocation region as defined in [1] is 
non-empty - unless 5b € {0, 1} (the assumption that feedback 
channels exist implies eb ^ 0.5) 

Second, the rates Rt u and R s jU do not represent the overall 
transmission and secrecy rates of our model, since a pair of 
binary symmetric channels such as the forward A — > B and 
A — > E channels cannot provide error free transmission at 
infinite rates. The information encoded in the sequence v 
mentioned above has to pass through one of these channels 
in order to be available at the other two terminals. While 
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this "correction" will be considered in Section III-BI we shall 
denote the rates i? f u and R s ,u as the unsealed transmission 
and secrecy rates, respectively. 

Third, note that under the above protocol, an independent 
feedback sequence x is transmitted every time for each 
new information-carrying sequence v. Eve's resulting error 
sequence is always different and independent, and acts like a 
one-time pad [10]. As is the case with a one-time pad, the 
feedback sequence cannot be recycled. If only one feedback 
sequence is transmitted and used for a set of several messages, 
Eve's equivocation about the whole set will be the same as her 
equivocation about any one message in the set. 

Therefore, an additional rate penalty has to be introduced 
to address the channel uses required for the feedback of x, as 
will be shown in Section III-BI 

B. The Overall Rate-Equivocation Region and Secrecy Rate 

This section shows how the overall transmission rates of our 
model depend on the unsealed rates of the equivalent system 
presented in Section III-AI and on the transmission rates used 
over the forward binary symmetric channels. 

In Section III-AI we showed that, if feedback is allowed, we 
can artificially form an equivalent system that allows encoding 
by Wyner's scheme [1]. All that is needed is an error free 
public channel to support the transmission of the n-sequence 
v © y. By the channel coding theorem, this channel is readily 
available if vffiy is transmitted at a rate RAB.fb (the notation 
stands for the rate at which the feedback processed signal is 
transmitted from Alice to Bob) less than the capacity of the 
A — > B channel Cab = 1 — M e /)- 

Proposition 5: There exists a channel code (M, n, P e , c ) 
(where n is the size of the message, M is the size of the 
codeword and P ex is the code's average error probability) that 
can transport the sequence v © y over the forward channel in 
such a manner that the secret message s fel is recovered with 
asymptotically no errors by Bob. 

Proof: Denote the error sequences introduced by the 
feedback channels by ebA - for Alice - and ebE - for Eve. 
According to [1] if the rate of the secret message is less than 
R s u , then there exists an encoding/decoding technique such 
that for any v > there exists N > such that the average 
probability of correctly decoding for the secret message s fel is 



Pr{s kl } Pr{e hA }Pr{v\s kl } 



•Prj>(v ffi e bA ) = s fcl } > 1 



(7) 



for ?i > A*o, where ip(-) is Bob's secrecy decoder. 

Moreover, according to Gallager's second corollary of The- 
orem 5.6.2. [12], there exists a (M,n, P e , c ) code for Bob's 
forward channel with the property that if the transmission rate 
is jt = RAB.fb < Cab, then for any v > there exists 
Ni > such that the average probability of correctly decoding 
a given transmitted message t is 

1 - Pe,c = Y Mt}Pr{w B |t}Pr{0(w B ) = t} > 1 - 

w B -t 

for n > Ni, where (/>(•) is Bob's channel decoder and wb 
is Bob's received sequence over the forward channel (when 



wa is transmitted by Alice). Note that our decoding method 
consists of separate channel and secrecy decoding. That is, 
Bob estimates the secret message s, as s = ^(0(w B ) © x). 
There is no guarantee that this separate decoding method is 
optimal. We define Bob's optimal (joint) decoder £(•), yielding 
the optimal estimate ls = £(wb)- Given the feedback sequence 
x, we can lower bound 

PrU(w B ) = s fcl }> 

>^Pr{0(w B ) = t}Pr{V'(t © x) = s kl }. (9) 
t 

Thus given the feedback sequence x, Bob's average proba- 
bility of correctly decoding for the secret message s kl can be 
lower bounded as 

^]Pr{s fel } Y Pr{e bA }Pr{v\s kl }Y Pr { x } ■ 

s k i v,e b A x 

(a) 

• 2J Pr{ w B |v©e bA ffix}Pr{£(w B ) = s kl } > 

w B 

>^Pr{s fel } Y Pr{e hA }Pr{v\s kl }Y Pr { x } ■ 

s fc i v,e b A x 

■^Pr{w B |vffie bA ffix}^Pr{0(w B ) = t} • 

w B t 

• Pr{V'(t ffix) = s fcl } > 
>^Pr{s fel } Y Pr{e bA }Pr{v\s kl }J2 Pr i x } ' 

s fc i v,e b A x 

• Y Pr{w B \v © e bA © x} • 

w B 

• Pr{(j)(\v B ) = v © e bA © x} • 
■Pr{^(vffie bA )}-s fcl } ( - ) 
= ]TPr{s fel } Y ^{e bA }Pr{v|s fel }. 

s k i v,e bA 

• Pr{^(v © e bA )} = s fcl } J2 Pr i*} J2 

x W B 

Pr{w B |v ©e bA ffix} • 
(d) 

■ Pr{^(w B ) = v ffi e bA ffi x} > 
> (l-v)Y p r{s kl } ^{e bA }Pr{v|s fcl }- 

s fc i v,e bA 

■PrOKvffie bA )} = s fcl } > {l-vf. (10) 

Inequality (a) follows from (O, inequality (b) from the fact 
that J2 t ^00 ^ -F(t)|t=vee bA ex for any positive function P, 
while the equality (c) from simply re-arranging the terms. In 
inequality (d) we used <[8j and the fact that Pr{vffie bA ffix} = 
Pr{x} (due to the Crypto lemma [11]), while inequality 
(e) follows directly from (0. The resulting average error 
probability at Bob is thus 

PZ<2 V -v 2 , (11) 

(8\vhich goes to zero as v — > 0. ■ 
Denote C\e = 1 — h(5f) the capacity of Eve's forward 
channel. Note that if Cae > Cab, Eve will also be able 
to decode the sequence v ffi y with no errors asymptotically. 
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However, Eve's equivocation about the secret message s fcl is 
maintained due to the feedback processing. On the other hand, 
if Cae < Cab, Eve cannot decode for the message v © 
y. Under this scenario, a secret message can be transmitted 
from Alice to Bob by Wyner's scheme, without using any 
feedback. The optimal tradeoff between the rate of encoding 
a secret message directly through Wyner's scheme and the rate 
RAB.fb at which a feedback-processed secret message should 
be forwarded to Bob will be discussed in Section [IV] In what 
follows, we prove that Eve's equivocation about the feedback- 
processed secret message s fcl is maintained regardless of the 
forwarding rate RABjb- 

Proposition 6: Eve's equivocation about the secret message 
does not decrease because of channel coding for the forward 
channel. 

Proof: Let we denote Eve's received signal over the 
forward channel and s fcl denote the secret message. Also, 
recall the error sequences corresponding to the feedback 
channels were denoted by ebA (for Alice's feedback channel) 
and ebE (for Eve's feedback channel). 

Eve's equivocation about the secret message is 

H(s kl | w E , x © e bE ) > H(s kl |v © y, x © e bE ) = 
= H (s kl |v © e bE © e bA , x © e bE ) = 

= F(s fel |vffie b Effie bA ), (12) 



fci 



v © y —> w e form 



where the inequality follows since s 
a Markov chain, and the last equality is due to the Crypto 
lemma [11] and the fact that the probability distribution of x 
is uniform over {0, 1}" (implying that xffle b E is independent 
of (s fcl , v©e b E©e b A))- Hence Eve's equivocation can only 
increase because of the imperfect forward channels. ■ 
The impact of the forward channel finite transmission rate 
on the overall achievable rates is reflected in a scaling of the 
unsealed rates by the rate used over the forward link RABjb- 
That is, a sequence of mi bits carrying ki = nR s u /H s secret 
symbols is mapped to an n-sequence v by Alice's secrecy 
encoder, such that ^ « Rt,u- Next, Alice computes v © y, 
and feeds this signal to the channel encoder. Since v © y is 
a sequence of i.i.d. uniform bits (as shown in Section Ill-Al l, 
its error free transmission requires an approximate number of 
channel uses. Hence, the mi source bits are 



K-ABJb 

transmitted in M channel uses. 

An additional number of n channel uses have to be consid- 
ered for the transmission of the required feedback sequence 
x. Noting that -on — = J tAB,fb . , we can state the following 

= M+n R.ABJb + 1 fe 

result. 

Theorem 7: For any vq, by choosing v such that vq > 
max{i/, 2v — v 2 }, we can find a code - comprising the original 
(n, k\, d, P e .i) secrecy code, the forward (M, n, P e , c ) channel 
code and the feedback - which encodes the k\ -sequence s fcl 
into the Af-sequence w^f, such that if Bob receives w^ 1 and 



fe, H, 



Eve receives wSr, we have T 

' M+n 

and P R i < i/q, as long as 



> 



M+n 



R — vq, Ai > d—VQ, 



< 



M 



-R < 



Rab 



fb 



RABjb + 1 



Rt,m 



< d < H s 



(13) 



(14) 



- Rd < He — — R<. 



M + n RABjb + 1' 

This yields an overall secrecy rate of 

R _ p RABjb 



(15) 



(16) 



RABjb + 1 

Proof: The proof follows from Propositions [5] and [6] ■ 

III. The First Approach: Eavesdropper's Forward 
Channel Less Noisy than Legitimate Receiver's 
Channel 

In this section we show a first approach to increasing the 
secrecy rate by using our feedback-based scheme. We prove 
that it can achieve a strictly positive secrecy rate and a non- 
empty rate-equivocation region even if the eavesdropper's 
forward channel A — > E is less noisy than the legitimate 
receiver's channel A — > B. The case when A — > B is less 
noisy than A — > E is studied in Section |IV] 

If Eve's forward channel is less noisy than Bob's forward 
channel, or equivalently Sf < ef, then no messages can 
be transmitted at any level of secrecy over the A — > B 
channel by Wyner's method [1]. If we take the forwarding rate 
RABjb arbitrarily close to Bob's forward channel capacity 
Cab, we obtain the following result which is a straightforward 
adaptation of Theorem [7] 

Corollary 8: For any i/q > there exists a code which 
encodes the fc-sequence s kl into the M-sequence w^, such 
that if Bob receives w^ 1 and Eve receives w^ 1 , we have 



MT^ - W+^ R ~ Al - d ~ u °> and Pe - v °> as lon s as 



< 



M 



-R < 



Cab 



Cai 



-Rt,m 



0<d<H B , 



Rd < H„— — AB _ R s ,u- 



M + n ~ Cab + 1 
This yields an overall secrecy rate of 

P - R CAB 



(17) 



(18) 



(19) 



(20) 



Cab + 1 

The following remark is in order. Maurer's "secrecy capac 
ity with public discussion" [5] is upper-bounded as follows: 



C S (P 



YZ\X. 



< maxI(X:Y\Z) 

" Px 



(21) 



where X, Y and Z denote the input and the outputs of the 
non-perfect channel (in our case the input to feedback channel 
at Bob and the outputs at Alice and Eve, respectively), and Px 
denotes the probability distribution of X input. It is also noted 
in [5] that in the case of binary symmetric channels, the upper- 
bound is achieved. For our case, this means that the unsealed 
secrecy rate R s u = h{eb+5b— 2efe#&) — can be increased 
no further. 

However, for a practical system with imperfect forward 
channels, the objective should be to maximize the overall 
secrecy rate rather than the unsealed secrecy rate. In the 
remainder of this section we provide a simple example to 
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Secrecy rate achievable with feedback scheme:e =0.02, 3 =0.01 



e S 

Fig. 2. The operator corresponding to the repetition coding preprocessing. 

prove that by altering the feedback sequence we can increase 
the overall secrecy rate of the system over the value 

Cab 



R s ,o = [h{e b + 6 b - 2e b 5 b ) - h(e b )] 



Cab + 1 



(22) 



provided by the maximization of the unsealed secrecy rate. 
Processing the feedback sequence improves performance 

So far we assumed that the feedback i.i.d. uniform sequence 
of bits x is transmitted by Bob with no further processing. 

Further processing of the feedback sequence results in 
equivalent feedback channels with altered error probabilities. 
Although the overall achievable secrecy rate depends on the 
rate at which the feedback is transmitted, an error and rate 
reducing encoding/decoding scheme for the feedback sequence 
implemented among the three parties can improve the system's 
performance. One such simple scheme, which preserves the 
independence between the symbols of y after decoding, is 
obtained if Bob encodes the feedback sequence x using 
repetition coding of rate 1/N, and Alice and Eve employ the 
optimal decoding scheme, which is majority decoding. The 
scheme results in equivalent BSCs with crossover probabilities 



and 



2K+1 

E 

i=K+l 



2K+1 



4= E 



i=k+l 



2K+1 



2K+1 



4(i - «*) 



2K+l-i 



si(i - s b ) 



2K+l-i 



(23) 



(24) 



where N = 2K + 1 if N is odd and N = 2K + 2 if N is 
even, and K > 0. 

The optimum N that maximizes the overall secrecy rate 
can be obtained numerically. The improvement in the overall 
secrecy rate due to repetition coding, as well as the optimal 
choice of N will be shown in Figure |4] and of Section |IV] 
However at this point we note that a processing method that 
decreases equivalent crossover probabilities is better when e b 
is decreased more than 5 b , i.e. when the strength of Bob's 
channel is increased relative to that of Eve's. By inspecting 
(l23l and 1241 . we notice that the operator corresponding to our 
preprocessing method is exponential. It is therefore expected 
that the method gives better results when e b < 5 b , as can be 
seen from Figure |2] (this phenomenon is indeed observed in 
our numerical results of Section IIVI . 





Fig. 3. Overall secrecy rate achievable by our feedback scheme for e i 
and S f = 0.01. 



: 0.02 



Although the above result may seem counter-intuitive (in 
light of Maurer's Theorem 4 [5]), the improvement in our case 
results exactly from the imperfection of the forward channels, 
which translates to scaling coefficients for all achievable rates, 
as shown in Section IH-BI 

Note that if a rate 1/N repetition coding is used for the 
transmission of the feedback sequence, the total number of 
channel uses needed for feedback is Nn, leading to the overall 
secrecy rate 



Rs.r. — 



nR s 



n/R 



AB.fb 



nN 



= R« 



RABJb 



NR A 



BJb 



1 



(25) 



The unsealed secrecy rate R s>u increases with N, while the 



correction factor 



Cae 



decreases with N, hence the need 



AfC AB + l 

to find the optimal value of that maximizes i? SiC . 
Some numerical results 

Since the secrecy rate is simpler to represent than the 
rate-equivocation region, throughout this paper we focus on 
illustrating the improvements in the achievable secrecy rate 
due to feedback. We first consider a model in which the 
forward channels have crossover probabilities e/ = 0.02 and 
5f = 0.01, respectively. In this scenario, Wyner's scheme 
cannot deliver a secret message from Alice to Bob at any 
positive rate. However, the secrecy rates achievable by our 
feedback based scheme (in Figure are strictly positive 
(except in the pathological cases when S b — or e b = 0.5). 

In Figures [4] and [5] we show the additional improvement in 
the overall achievable secrecy rate obtained if we use repetition 
coding for the transmission of the feedback sequence, and 
the optimal repetition order N. Although the improvement is 
marginal, it proves that Maurer's upper bound on the secrecy 
capacity with public discussion [5] does not hold if the forward 
channels are imperfect. 

IV. The Second Approach: Legitimate Receiver's 
Forward Channel Less Noisy than Eavesdropper's 
Channel 

If e/ < Sf, a non-empty rate-equivocation region and a 
strictly positive secrecy rate less than C s = Cab — Cae are 
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Improvement in secrecy rate due to feedback repetition coding 
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Fig. 4. Secrecy rate improvement due to feedback repetition coding. 
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Fig. 5. The optimal value of TV for feedback repetition coding. 



asymptotically achievable without feedback [1]. In this section 
we show that even under this scenario, sometimes feedback 
can improve the achievable secrecy rate. For example, when 
C 8 is small compared to Cab, and the unsealed secrecy rate 
achievable with feedback R s . u is relatively large (i.e. when 
the channel B — > A is significantly better than the channel 
B — > E, while the channel A — > B is only slightly better than 
the channel A — > E) , we can have C s < R su Jr' AB , , . 

However, in general, neither Wyner's original scheme, nor 
our feedback based scheme is optimal. Instead, as we shall 
see shortly, encoding a combination of a secret message and a 
feedback-processed message into the forwarded sequence wa 
can achieve a higher overall secrecy rate. 

The method behind the direct part of Wyner's Theorem 2 [1] 
assumes the transmission of m% bits, containing = n^Cg 
secret bits, by mapping the fc2-bit secret message s fc2 to a 
specific coset. The rest of 777,2 — &2 bits correspond to the 
index of the randomly picked coset representative which is 
transmitted. Since Bob can decode the transmitted codeword 
perfectly, he has access to all 7772 bits. The 7772 — fc2 non- 
secret bits are neither secret to, nor can they be decoded 
by Eve without errors [2]. It was assumed in [1] that these 
bits are picked randomly (according to a uniform distribution) 
and carry no information. In their extension of Wyner's work, 
Csiszar and Korner [2] observe that these bits can actually be 



picked according to the output message of a uniform source 
of entropy H x = 777,2 — which can carry useful information 
for Bob [2]. 

At a first glance, it would appear that by encoding the mes- 
sage v © y into the 7712 — k-i non-secret bits, we could transmit 
it asymptotically error free to Bob, at a rate arbitrarily close to 
Cab — C s = Cae, in addition to the original secret message 
s fc2 . In this case, even if Eve had perfect access to these bits 
(which she has not), the equivocation of both secret messages 
would be preserved. This argument is the starting point of the 
proposed mixed secrecy scheme of [8] (see Appendix [A] for 
more remarks on [8]). Unfortunately, the argument above is 
false. By using the sequence v © y = v © x © ebA to pick the 
coset representative to be transmitted over the forward channel, 
the equivocation of the secret message s k2 encoded into the 
other &2 bits is compromised. As shown in Appendix [A] this 
happens because Eve has access to a distorted version of the 
feedback sequence x © ebE, which is correlated with v © y. 

Therefore we need an encoding technique in which Eve's 
information about the message v © y, obtained through x © 
ebE, does not influence the secrecy of s fe2 . Such a technique is 
readily provided by [2]. The encoding technique of [2] aims at 
transmitting not only a secret message from Alice to Bob, but 
also a common message from Alice to both Bob and Eve. The 
code is designed following a 2-cycle maximal construction 
idea. First, a sub-code which can carry information reliably 
over both channels, at a sub-optimal rate is picked for the 
common message. Other codewords are then added to the sub- 
code (in two cycles) - such that Bob can distinguish between 
any two codewords, while Eve can only distinguish between 
any two codewords corresponding to the same secret message 
- until no more such codewords exist. 

Adapting this strategy to our case, we can treat the sequence 
vffiy as a common message, intended for both Bob and Eve. In 
addition to the common message, we can also transmit a secret 
message s fe2 to Bob. Since the common message is designed 
to be perfectly decoded by Eve, the additional information 
contained in x ffi ebE cannot compromise the secrecy of 
s^ 2 . The drawback is that the transmission of a common 
message decreases the rate at which the secret message s fe2 
can be conveyed to Bob [2]. However, the transmission of 
an additional secret message s fel , encoded in the sequence v, 
can make up for this loss and, in many circumstances, bring 
noticeable improvements over Wyner's scheme [1]. 

In order to pursue this path, we first need to establish what 
is the optimal tradeoff between the common message rate and 
the secret message rate. Denote by Wa, Wb and We the 
input to the forward channel and the outputs at Bob and Eve, 
respectively. According to Theorem 1 of [2], the two rates 
have to satisfy: 

R e <I(V;W B \U)-I(V;W E \U), (26) 

R c < mm[I(U; W B ),I(U; W E )], (27) 

where R e is the secret message rate, R c is the common 
message rate, and U and V are two auxiliary random variables 
such that U — > V — > Wa — > Wb , We form a Markov chain. 



8 



For our special BSC case, and under the scenario where 
e/ < Sf, we can further simplify ( f27l >: 



(28) 



R c < I(U;W E ). 

Following the proof of Corollary 3 in [2], we can write 
as: 



R e < HV; W B \U) - J(V; W E \U) = 
= I(V; W B ) - /(V; W E ) - [I(U; W B ) - I(U; W E )\ = 
= [I(Wa;W b ) ~I(W a ;We)} - 
-[I(W A ;W B \V) - I(W A ;W E \V)] - 

-[I{U;W B )-I(U;W E )}, (29) 

where the equalities follow from the fact that if X — ► Y — > Z 
form a Markov chain, then J(Y; Z) = I(X; Z) + I(Y; Z\X) 
(Lemma 1 in [2]). Note that the term [I(Wa] W b \V) - 
I(Wa',We\V)] is always positive [2], and is minimized for 
V = Wa- The condition in d29l is thus reduced to 



(30) 



(31) 



Re < [I(W A ; W b ) - I{W A ; We)} - 
-[I{U;Wb)-I{U;W e ]], 

or equivalently 

R e <I(Wa;Wb\U)-I(Wa;W e \U). 



At this point we are looking for the auxiliary random 
variable U, and its relationship with the channel input random 
variable Wa, that achieve the points on the boundary of the 
(R e , R c ) region described above. The only information about 
U that is provided in [2], is that its alphabet size may, without 
loss of generality, be assumed to be at most three letters larger 
than the alphabet of Wa (in our binary case, the alphabet of 
U would have at most five letters). 

The following three results(two propositions and one con- 
jecture) greatly simplify the search for the optimal auxiliary 
random variable and channel. The two propositions are proved, 
and the arguments behind the conjecture are presented, in 
Appendix [B] 

Proposition 9: The optimal auxiliary random variable U 
can be defined, without loss of optimality, over a three- 
dimensional alphabet. 

Conjecture 10: The optimal auxiliary random variable U 
can be defined, without loss of optimality, over a binary 
alphabet. 

Proposition 11: If t/ is considered binary, then its optimal 
distribution over its two-dimensional alphabet (pick it as {0, 1} 
for convenience) is a uniform one. Moreover, the optimal 
auxiliary channel that links U to the physical channel input 
Wa is a simple binary symmetric channel. 

In the remainder of this paper we shall assume that U is 
a binary, uniform random variable, linked to Wa through a 
BSC of crossover probability 7. Note that even if Conjecture 
[TOl were false, this assumption would not interfere with the 
achievability of our secrecy rates. Instead, our rates would 
lower-bound the secrecy rates achievable under the optimal 
distribution of a ternary U and the corresponding optimal 
auxiliary channel between U and Wa- 



Once we pick the auxiliary channel crossover probability 7 
we can compute 



and 



R* c = l-h(-y + 6 f -2~f5 f ) (32) 

R* e = [h{8 f ) - h(e f )} - 
-[h(7 + 5 f - 2j5 f ) -h(r/ + e f - 2 7e/ )]. (33) 

Similar arguments to those in the previous section apply to 
show that the messages v © y, containing the secret message 
s kl , can now be transmitted to Bob asymptotically error free 
at a rate arbitrarily close to R*, in the form of a common 
message. In addition, another secret message s fe2 can be 
transmitted simultaneously to Bob at rate close to R*. In the 
remainder of this section we calculate the resulting overall 
secrecy rate. 

Proposition 12: If the legitimate receiver's channel is less 
noisy than the eavesdropper's channel, the secrecy rate 

(i?* + R*R SjU ) CabRs, 



R, 



s,0 



max ■ 

7 



Rt 



1 ' Cab + 1 



(34) 



is achievable by our feedback-based scheme, where R* and 
R* are given by ( T32T > and (|33l l, respectively. 

Proof: Define the equivocations Ai = 
^(s^w™, x» + e bE ") and A 2 - ±H(s k *\w™), 
where s fc2 is the fc2-sequence of secret source symbols that 
are encoded in the codeword w^ 1 as a secret message, and 
s fel is a distinct fci-sequence of secret source symbols that are 
encoded in the sequence v © y by our feedback scheme. The 
sequence v © y is in turn mapped into the same codeword 
w^ 1 as a common message. The transmitted codeword w^f 
is received by Eve as w^ 1 . We know that for any v > there 
exists such an encoding technique which satisfies 



k 2 H„ 
M 

as long as 



> R.2 



A, > d 2 



Pe.2 < V, 



< R 2 < Cab, < d 2 < H s , R 2 d 2 < H s R* e 



and 

kiH 3 
M+n 

as long as 



> Ri — v, Ai > d\ — v , P e .i < is, 



(35) 



(36) 



(37) 



< d 1 < H s 



(38) 



< Ri < Rt.u^fi, 

R\d\ < H s R SyU j^rpi ■ 

The equivocation of the secret message at Eve is now 
defined as: 

1 



A = 



-H(s ftl ,s fc2 |w™ x"+e be ") 



k\ + k 2 

Since s fel and s fe2 are independent, we can write 



A = 



ki 



-A! 



(39) 



(40) 



k\ + k 2 fci + k 2 

Note that the overall rate at which the secret source is trans 



mitted is now ( kl + k ^ Hs Therefore, a correction of , ff has 
to be applied to the rate R 2 . As a result, the rate-equivocation 
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mm{j^-R 2 + R^Cab} 



pair (R, d) is achievable if R - 
and d = k k + k ^ d 1 + k k + k d 2 . Note that this implies R < Cab 
and d < H s . 

Also, due to Corollary [4] if M is large enough, we have 
k 2 d 2 -> MR% and Mi -* (M + n)-JhrR«_„. Due to " 
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and d3Tb we also have ki + k 2 
we can write 



**) ft* R>8,U 

M+n ( M 
H, 



fcidi + k 2 d 2 



1 

'R 



M 



M 



-R„ 



R* R s 



i 



(41) 



Recall that for this case, the ?i-sequence v 
in the A/-sequence at rate R*. Thus 



implies 



M 



d ^ H 



leading to 

1 i?* + R*.Rc 



R R* 



1 



y is encoded 
= R* which 



(42) 



and 



Rd-> H, 



(R* + R* C R S 



i; 



i 



(43) 



Note that the condition for achieving equality asymptotically 
(as M — > oo) in d43l above is that the two levels of 



K 

ls R*+l 



R, 



secrecy operate at R 2 d 2 = H S C* and R\di = H s 
respectively. 

Several comments are in order. If 7 = 0, we obtain 
R* = Cae, and R* = 0. However in this case, since no 
secret message is transmitted directly by Wyner's scheme, we 
can safely transmit the feedback-processed message at a rate 
RAB.fb = Cab just like in (SubsectionHIIli. This discontinuity 
in 7 = is why in (|34l we have to compare the result of 
the maximization over 7 (corresponding to the mixed scheme) 
with the rate achieved by the pure feedback scheme. If 7 = 
0.5, we have R* = 0, and R* e = Cab - Cae = C s , resulting 
in Wyner's original scheme [1] - hence no discontinuity in 
7 = 0.5. Any value of 7 in the open interval (0, 0.5) results 
in a combination of the two schemes. ■ 

Some more numerical results 

To illustrate the performance of our second approach to 
implementing the feedback-based secrecy scheme, we consider 
a model in which the forward channels have crossover prob- 
abilities £f = 0.01 and Sf = 0.02, respectively. The secrecy 
rate achievable by Wyner's original scheme is C s = 0.06. 

In Figure [6] we show the overall achievable secrecy rate 
when we use our feedback scheme, for different values of the 
crossover probabilities characterizing the feedback channels. 
The corresponding optimal value of the parameter 7 is given in 
Figure [7] Recall that whenever 7 = 0.5, our feedback scheme 
reduces to Wyner's scheme, and hence the achievable secrecy 
rate is C s . Also, when 7 = 0, our scheme uses the whole 
capacity Cab of Bob's forward channel to convey a secret 
message encoded with the help of the feedback sequence (no 
additional directly encoded secret message is present). The 
improvements are significant. 

V. The Third Approach: The Reversed Feedback 
Scheme 

The feedback-based scheme discussed in the previous sec- 
tion encodes two secret messages into the sequence transmitted 




Fig. 6. Secrecy rate achievable by the feedback scheme for tf = 0.01 and 
S f = 0.02. 



Optimum value of y for the feedback scheme: e =0.01 . 8 =0.02 




Fig. 7. The optimal value of 7 for the feedback scheme when ej = 0.01 
and Sf = 0.02. 



over the forward channel. The main idea behind this construc- 
tion is based on the capability of the legitimate transmitter 
(Alice) to transmit two types of messages simultaneously [2]: 
a first secret message to Bob, and a common message to both 
Bob and Eve. In our case, the common message carries a 
second secret message, the encoding of which is based on 
artificially degrading Eve's equivalent channel by the use of 
a feedback sequence. But on a deeper level, the encoding of 
both secret messages uses the same principle developed in [1], 
and none of them uses an explicit secret key. 

In this section, we discuss another approach to increasing 
the secrecy rate, namely when the feedback-based scheme is 
used on the reversed channel (in the sense that the secret 
message encoded with the help of our feedback-based scheme 
is now transmitted from Bob to Alice instead of from Alice 
to Bob) to send a secret key from Bob to Alice, much like in 
[7] and [8] (in fact the scenarios of [7] and the correct part of 
[8] can be considered as special cases of our reversed mixed 
feedback scheme.). Alice can subsequently use this secret key 
as a one-time pad, for transmitting a secret message of the 
same entropy [10] to Bob. 

Although this new protocol requires more bandwidth than 
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the previous one, it can sometimes achieve better overall 
performance in terms of rate-equivocation region and secrecy 
rate. However, this can only happen under the (necessary but 
not sufficient) condition that the rate at which the secret key 
is transmitted from Bob to Alice exceeds the secrecy rates 
achievable by the original feedback scheme. 

Denote by R s p the supremum of the rates at which Bob can 
transmit a secret key (or a one-time pad) to Alice by using 
the feedback scheme developed in the previous section on the 
reversed channel. Note that R s . p can be obtained from the 
expression of i? Sj o in (f34-b by replacing ej by e&, Sf by 8b, 
and vice versa. 

To acquire this secret key, Alice and Bob engage in a 
protocol which is the reversed version of the one described 
in the previous sections. Alice broadcasts a random feedback 
sequence of n bits. Bob can then encode ki secret bits into 
an n-sequence, which is added mod 2 to Bob's received 
feedback sequence, and then the result is further encoded into 
an M -sequence for asymptotically error free transmission over 
the B — > A and B — > E channels. 

If Cba > Cbe, the same 7\/-sequence can carry an 
additional secret message of k% bits. A number of M + n 
channel uses are thus required for the transmission of a 
k r = ki + fc2-bit secret key r kr , and are accounted for in 
the expression of R s ^ p (that is, R s ^ p = A ^T„ ). 

After adding the secret key r kr to a secret message s r r of 
her own (also a fc r -bit sequence), Alice encodes the result 
into an M'-sequence for the forward channel. Note here 
that because Alice uses a secret key, the secrecy of s r r is 
preserved (by the Crypto lemma [11]) even if Eve has perfect 
access to the resulting fc r -bit sum sequence r kr © s r fer . 

At this point, Alice could choose to encrypt everything she 
transmits to Bob. However, that strategy would require the 
generation of a long secret key, and hence cause a large rate 
loss due to feedback - recall that in our results we count 
the bandwidth expenditure due to feedback. Instead, a mixed 
secrecy encoding strategy on the forward link may be optimal. 
For example, a special adaptation of our reversed feedback 
scheme is possible when Cab > Cae- Recall that in Section 
ITVl we made a comment about the possibility to transmit a 
secret message, encoded in the cosets of a code, at a rate 
arbitrarily close to the secrecy capacity C s = max{CAB — 
Cae,0}, while using the feedback-processed sequence vffiy 
(that was carrying a separate secret message) for selecting the 
exact coset representative to be transmitted. In Section HVl this 
was not possible due to the fact that Eve had some information 
about v©y, from its received feedback sequence x©ebE- In 
the present scenario, however, the message r kr © s kr is totally 
unknown to Eve, and can be safely used for selecting the coset 
representative. 

Thus, a first fc -bit secret message - denote it by s fc ° - 
can be transmitted from Alice to Bob using Wyner's original 
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scheme [1], at a rate 



C s . A second secret message 



can be transmitted at a rate jfr ~ Cf (we denoted 



Cf — minjCAB, Cae}) by using the secret key r fcr generated 
through a reversed feedback scheme. 

With this notation, and taking into account all n + M + M' 
channel uses involved in the protocol (i.e. n for the reversed 




Fig. 8. Overall secrecy rate achievable by the reversed feedback scheme for 
Ef = 0.02 and 6 f = 0.01. 



feedback sequence from Alice to Bob, M for the transmission 
of the secret key from Bob to Alice, and M' for the transmis- 
sion of the secret message from Alice to Bob), we can write 
the overall achievable secrecy rate as 

_ fc + k r 
s ' rf ~ n + M + M' ~ 

(C s + C f ) = Cab ^ R :^ , (44) 



n + M + M' 



Cf + R s 



jF ~r J«-s,p 

where in the second equality we used the fact that Cf + C S = 
Cab and that 

M' k r /(n + M) R 



s,p 



(45) 



n + M + M> k r /M' + k r /(n + M) C F + R S , P ' 

An observation is now in order. Although a secret key of 
length equal to that of the transmitted message may be gen- 
erated by our reversed feedback scheme, employing Wyner's 
original scheme, when possible, in addition to the encryption 
by the secret key is always optimal. Indeed, Wyner's scheme 
guarantees the transmission of a secret message without wast- 
ing any resources other than the M' bits of the forward 
channel sequence, while encrypting a message by a secret 
key generated as above requires additional resources that grow 
linearly with the size of the secret key. For example, generating 
a secret key long enough to encrypt the whole secret message 
(of size M'Cab bits) yields an achievable secrecy rate equal 



to Cab 

Cab 



ft,. 



Cab+Rs 



which is always less than the secrecy rate 



R a 



above, achieved by the mixed scheme. 
Numerical Results 

For the first data set, of Section [TTIJ (et = 0.02 and Sf = 
0.01), the achievable secrecy rate and the optimal 7 for the 
reversed feedback scheme are given in Figures [8] and [9] 

The improvement in the overall secrecy rate when using 
the reversed feedback scheme instead of the regular feedback 
scheme, i.e. the function max{0, R s ,rf — Ro}, is shown in 
Figure Q~2] Note that the reversed mixed feedback scheme is 
usually a better choice when Eve's feedback channel is worse 
than Alice's (i.e. 8b > £&)■ 

For the second data set, of Section |IV] (e/ = 0.01 and 
Sf = 0.02), the secrecy rate R s j achievable by the re- 
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Optimum value of y for the reversed feedback scheme:e =0.02, 5 =0.01 




Secrecy rate achievable with reversed feedback schemes =0.01 , 5 =0.02 




Fig. 9. The optimal value of 7 for the reversed feedback scheme when Fig. 11. Secrecy rate achievable by the reversed mixed feedback scheme for 



e f = 0.02 and 5 f = 0.01. 



: 0.01 and S f = 0.02 



Improvement in secrecy rate with reversed feedback scheme, relative to feedback scheme:!: =0.02, 5 =0.01 



Improvement in secrecy rate with reversed feedback scheme, relative to feedback scheme:r: ( =0.01 , 5 ( =0.02 





s„ 



Fig. 10. Improvement in overall secrecy rate when using the reversed Fig. 12. Improvement in secrecy rate when using the reversed mixed feedback 
feedback scheme instead of the regular feedback scheme: e f = 0.02 and scheme instead of the regular mixed feedback scheme: e f = 0.01 and 5 f = 



Sf = 0.01. Represented is the function max{0, R s ,rf ~ Rs,o}- 



0.02. Represented is the function max{0,i? s 



rf 



R s ,o}- 



versed mixed feedback scheme is given in Figure QT| and 
the improvement over the regular mixed feedback scheme 
is depicted in Figure [9] Once again, the reversed feedback 
scheme performs better when 5b > £f,. It is also interesting to 
note the existence of a region in the (e^, 5b) plane (around the 
diagonal = 5b), where our regular mixed feedback scheme 
beats Wyner's scheme even when > 5b (see Figure |6), and 
it also beats the reversed mixed feedback scheme even when 
eb < 8b (see Figure Il2l. 

VI. Conclusions 

We presented a scheme that achieves a strictly positive 
secrecy rate even if the eavesdropper's channel is better than 
the legitimate receiver's channel, and improves the achievable 
secrecy rate if the eavesdropper's channel is worse. 

We proposed several collaborative secrecy encoding meth- 
ods, all of which use our feedback scheme. Depending on the 
channel conditions, the possible ways in which the feedback- 
based scheme can be used are summarized in Table Q] The 
term pure feedback scheme in Table U denotes the feedback 
scheme as implemented in Section|III] i.e. without being mixed 



with Wyner's scheme, while mixed feedback scheme refers to 
the implementation of Section IIV1 under the optimal mixture 
between the pure feedback scheme and Wyner's scheme. Sim- 
ilar considerations hold for the reversed pure/mixed feedback 
scheme (see Section [VT>. 

Our scheme requires a new random sequence to be fed back 
from Bob, for each codeword that Alice wants to send over 
the forward channel, in a manner similar to the one-time pad. 
We have shown that Theorem 4 in [5], which provides an 



TABLE I 

Possible implementation of our feedback-based secrecy 

SCHEME. 



Channel conditions 


Possible implementation 


Cba < Cbe 
Cab < Cae 


Pure feedback scheme 


Cba > Cbe 
Cab < Cae 


Pure feedback scheme OR 
Reversed mixed feedback scheme 


Cba < Cbe 
Cab > Cae 


Mixed feedback scheme OR 
Reversed pure feedback scheme 


Cba > Cbe 
Cab > Cae 


Mixed feedback scheme OR 
Reversed mixed feedback scheme 
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upper bound on the achievable secrecy rate when the public 
channel is error free, does not hold if this condition is not 
satisfied. The derivation of such an upper bound for the more 
realistic scenario with imperfect public channels is still under 
our investigation. 

The main advantage of our scheme is that it makes physical 
layer security protocols implementable with only minor re- 
strictions imposed on the eavesdropper's channel, restrictions 
which can be easily ensured by perimeter defense (transmis- 
sion power is low enough to guarantee a minimum error 
probability for any terminal situated outside a safe perimeter). 

Appendix A 
Why the Approach of [8] Is Wrong 

Since the ideas of [8] are closely related to our feedback 
secrecy encoding scheme, and since [8] suffers from several 
subtle flaws, we dedicate this appendix to pointing out three 
of these. 

First, all the rates of [8] are expressed without considering 
the expense of channel uses due to feedback. While this may 
seem like a minor inconvenience as far as the forward channel 
rates are involved, it becomes a problem when the forward 
channel rates are mixed with orthogonal feedback channel 
rates, as in sections 3 and 4 of [8]. More specifically, the 
secrecy rate achievable by Wyner's scheme on the forward 
channel cannot be added to the rate at which the secret key 
is generated over the orthogonal feedback channel unless both 
channels use the exact same codeword length. 

Second, even if both the feedback and forward channels 
used the same codeword length, the time sharing idea of 
[8] is questionable. It is claimed in [8] that time sharing is 
performed between two modes of operation on the feedback 
channel: Wyner's regular scheme, and our feedback secrecy 
scheme. With the notation of [8], the two modes of operation 
would normally yield secrecy rates C h s = [h(6b) — h(eb)} + 
(Wyner's scheme) and Rfbs = M e & + — ^b^b) — h(eb) (our 
feedback scheme). Thus, the optimal time sharing between 
these schemes is to always use our feedback secrecy scheme 
(i.e. a — always in [8]) since Rfbs > C h s regardless of the 
channel parameters. 

Third, our secrecy feedback scheme cannot be mixed with 
Wyner's secrecy scheme the way that was claimed in section 4 
of [8]. The mixed strategy of [8] was inspired by some of our 
results in [9], which are incorrect, and for which we assume 
full responsability. 

Whenever this type of mixing is desired, special care should 
be taken to ensure that Eve's information about the random 
feedback sequence, obtained on the feedback channel, does 
not compromise the secrecy of Wyner's scheme. We have 
already mentioned this in Section [IV] In the following, we 
give a more detailed explanation of this account. With the 
notation on Section IIVI consider the secret message encoded 
by Wyner's scheme s k2 , the auxiliary message - the one used 
for picking the exact bin representative [1], and which contains 
another secret message, encoded with the use of the feedback 
scheme - v © y, Alice's transmitted sequence (which is 
a deterministic function of s k2 and v©y), and Eve's received 
sequence Wg . 



The key to Wyner's secrecy scheme is to employ an 
encoding scheme that guarantees that if(v © y) is arbitrarily 
close to, but less than, /(w^ ;wj^) [1]. Indeed, this is how 
the encoding in [8] is performed. 

However, recall that due to the feedback scheme, Eve also 
has access to a distorted version z of Bob's feedback sequence 
x. In order for Wyner's scheme to still work, we would need 
to have H(v ©y[z) arbitrarily close to I(wj£; w^ 1 , z). But 
we can write 

#(vffiy|z) < ff(v©y) ~ 
^/(w^;w^)<I(w^;w*f,z), (46) 

where the first inequality holds in a strict sense and follows 
from the fact that, because v is the output of a Wyner- 
type channel encoder (for the artifficially created equivalent 
channels - see Section lTl-Ab . it cannot be uniformly distributed 
over {0, 1}™, and thus v © y is not independent of z. The 
second inequality follows from the fact that z — > x — > y — > 
w a ~~ * w e I f° rm a Markov chain. 

Appendix B 

The Optimal Tradeoff between the Secret Rate 
and the Common Rate 

In Section [IV] we have already shown that for an eaves- 
dropper channel with input (at Alice) X and outputs Y 
at the legitimate receiver (Bob) and Z at the eavesdropper 
(Eve), for which the Bob's channel is less noisy than Eve's 
channel, a pair of one secret and one common messages can be 
transmitted with asymptotically zero average error probability 
if and only if the rate R e of the secret message and the rate 
R c of the common message satisfy 

R e <I{X;Y\U)-I{X;Z\U) (47) 

and 

Rc<I(U-Z), (48) 

where U is an auxiliary random variable such that U — > X — > 
YZ form a Markov chain. This result is a straightforward 
particularization of Theorem 1 in [2], for the case when Bob's 
channel is less noisy and we are only concerned with common 
and secret messages. From an application point of view, an 
efficient communications system that uses the framework in 
[2] to transmit two such messages should operate on the 
boundary of the (R e ,R c ) rate region. For example, once R c 
is set to a fixed value R*, the system should aim to use the 
maximum secrecy rate R e available under these circumstances. 
This is equivalent to finding the optimal auxiliary random 
variable U, and the optimal relation (we shall henceforth 
denote this relation by the term "channel") between U and 
X, that maximize R e for a given value of R c . 

To the best of our knowledge, at present there exist no 
studies that solve the above problem, even for the simplest 
of cases. In this appendix, we prove that the alphabet size of 
U can be reduced from 5 letters to just 3 letters without any 
loss of optimality (Proposition |9), and then provide arguments 
to back our Conjecture [Tol that the boundary of the (R e ,R c ) 
rate region is achieved by a binary auxiliary random variable 
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U. Finally, we prove Proposition [PT1 which states that if U is 
considered binary, then the optimal auxiliary channel, which 
connects U to the channel input random variable X, is a BSC. 

Our model consists of a main channel and an eavesdropper 
channel modeled as BSCs with crossover probabilities e and 
5, respectively, such that e < 5 and e, S £ [0, 0.5]. 

A. Proof of Proposition [9] 

Following the proof of the admissibility of the size con- 
straints in [2], we make the following denotations: 

f x (p) = Pr(X = 0|p) = p(0) = p, (49) 
f y (p)=H(Y\p)=h(e+p-2ep), (50) 

f z (p)=H(Z\p) = h(S + p-2Sp), (51) 

where p denotes the probability mass function (p.m.f.) of X, 
while f y (p) and f z (p) are the respective entropies of Y and 
Z, when X has the p.m.f. given by p. In the remainder of this 
appendix we shall denote a — > b = a + b — 2ab, as the formula 
is the same as the crossover probability of a concatenation of 
two BSCs with respective crossover probabilities a and b. 

Think of p as a function under the control of the random 
variable U. Thus, for any u in the alphabet of U, if U = u, 
then the p.m.f. of X becomes p u . We can now write, as in 
[2], 

Pr(X = 0) = ]T Pr(U = u)f x (p u ), (52) 

U 

I(U;Z) = H{Z) - H{Z\U) = 
= H(Z) - ]T Pr(U = u)f z (p u ), (53) 

U 

I(X; Y\U) = H{Y\U) - H{Y\X) = 

= MU = u) [f y ( Pu ) - h(e)] , (54) 

u 

and 

I(X; Z\U) = H{Z\U) - H{Z\X) = 

= ]T Pr(U = u) [f z {p u ) - h(S)} , (55) 

u 

where we used the fact that U — > X — > Y Z form a Markov 
chain and that H(Z\X) and H(Y\X) are independent of the 
actual probability distribution of X (the variables are related 
through BSCs). Note that H(Z) is completely determined by 
the channel coefficients e and 5 and by Pr(X = 0) defined 
in (E2l. 

Consider the triple (f x {p), f y (p), fz(p)) = {p,h(e+p- 
2ep), h(S + p — 2Sp)) and note that all of the quantities in 
( l52l - dB3l l above are expressed in terms of the same convex 
combination of one of the members of our triple. In other 
words, any set of feasible values for the quantities in d52l - 
d55| i is uniquely determined by a point in the convex hull of 
the settf = {(p,h(e+p-2ep),h(5 + p-26p))\pe [0,0.5]}, 
which is a 3D space curve. Note here that for any p £ [0.5, 1] 



we can find a / e [0, 0.5] that yields the same values for 
I(U; Z), I(X; Y\U) and I{X; Z\U). 

By Caratheodory's theorem, since ^ £ M 3 , any point in the 
convex hull of can be expressed as a convex combination of 
only four points belonging to c £ . Using the same strengthened 
version of Caratheodory's theorem, due to Eggleston, as in 
[2], we can state that, since ^ is a connected subset of M 3 , 
any point in its convex hull can be expressed as a convex 
combination of only three points belonging to ^ (Theorem 
18 (ii) on page 35 of [14]). This implies that it is enough to 
consider only three values of p to be able to produce any triple 
of feasible values for the quantities in d54l ) - d55l l. But since 
p is controlled by the value of the auxiliary random variable 
U, we can therefore let U be ternary. □ 

B. Arguments Supporting Conjecture [70| 

In Conjecture Qj] below we state that, due to the special 
form of the set ^ defined in the previous subsection, we can 
actually express any point in its convex hull as the convex 
combination of only two of its points. 

This would imply that it is enough to consider only two 
values of p to be able to produce any triple of feasible values 
for the quantities in d54l ) - d55l ) and hence we can let U be 
binary. 

Conjecture 13: Consider the 3D space curve given by = 
{(p, h(e + p- 2ep), h{5 + p - 2Sp))\p £ [0,0.5]}. Any point 
in the convex hull of ^ can be expressed as the convex 
combination of only two points belonging to ^ , 

Supporting arguments 

Recall the denotation x — >■ p = x + p — 2xp. The space 
curve c € , along with its projections onto the (p, h(e — > p)) 
and (p, h{5 — > p)) planes, is represented in Figure [13] We 
shall henceforth call the p axis the "abscissa" axis, because 
it is the common abscissa axis of both (p,h(e — ► p)) and 
(p, h(S — » p)) planes. Also represented in the figure is a 
random point M in the convex hull of c € , which was obtained 
as the convex combination of three points A, B and C be- 
longing to , Due to Eggleston's extension of Caratheodory's 
theorem [14], we know that any point in the convex hull of 
^ can be obtained in this manner. In the remainder of this 
argument we shall denote by Pd the projection of the point 
P onto the {p,h(S — ► p)) plane, and by P e the projection 
of the point P onto the (p,h(e — > p)) plane, for any point 
P £ {A, B, C, D, E, F, G, M, X, Y}. Moreover, we denote 
by % and & e the projections of the space curve c i on the two 
planes, respectively. 

The present conjecture shows that in fact the point M can 
be obtained as the convex combination of only two points of 
^ - in Figure [T3l these points were denoted by X and Y, 

This is equivalent to showing that there exist two values p x 
and p y of p, such that if we denote the points X e = (p x , h(e — > 
Px)), X d = (p x ,h{5 -* p x )), Y e = (p y ,h(e -> p y )) and 
Yd = (Py, h(S —* p y )), then M e belongs to the line segment 
connecting X e and Y e , and simultaneously M<j belongs to the 

2 See definitions in [13]. A separation of a topological space 5 is a pair 
of nonempty, disjoint, open subsets of S, whose union is S. The space S is 
connected if there does not exist a separation of S. 
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He -> p) 




Fig. 13. The space curve and its projections onto the (p,h(e — > p)) and 
(p, h(S — > p)) planes. 



He -> P ) 




Fig. 14. Projections of the space curve: simplified problem. 

line segment connecting Xd and Yd- At this point, assume that 
the following remark is true. 

Remark 14: (This remark has been checked numerically. 
However, we currently do not have a theoretical proof.) 
Consider four random points A, D, B, C on the space curve 
c <o, such that their respective abscissae Pi,P4,P2)P3 satisfy 
Pi < Pi < p-2 < P3, and construct their projections 
A e ,D e ,B e ,C e and A d ,D d ,B d ,C d on the planes (p,h(e -> 
p)) and (p,h(8 — > p)), respectively. Then the abscissa of the 
intersection of the segments A e B e and D e C e is greater than 
the abscissa of the intersection of the segments AdBd and 
DdCd- The result is illustrated in Figure [14] for two tuples of 
points, namely (A, D, B, C) and (A, B, F, C). 

Recall that the points A, B and C determine our point of 



He -> p) 




Fig. 15. Projections of the space curve: existence of a solution. 

interest M, that is M = aA + bB + cC, where a, b, c G [0, 1] 
and a + b + c = 1. This implies that the intersection between 
the segments A e B e and C e M e , and the intersection between 
AdBd and CdMd have the same abscissa, namely ap *^ P2 . 
Due to Remark [T4l above, this means that the segment C e M e 
intersects the curve c € e at a point E e which has an abscissa 
Pi je which is less than the abscissa pi t d of the intersection D d 
between CdM d and as illustrated in Figure [151 

Denote by D e the point of 1f e with the same abscissa pi <j 
as Dd. It is clear that the segment D e C e passes above the 
point M e , while DdCd passes through M^. 

By a similar rationale, the intersection between the segments 
A e M e and B e C e , and the intersection between AdMd and 
BdCd have the same abscissa, namely ^f-j^— ■ Due to Remark 
[l4l this means that the segment A e M e intersects the curve ^ 
at a point G e which has an abscissa p2, e which is less than 
the abscissa p^ t d of the intersection Fd between AdMd and 
% (see Figure [T3J. Denote by F e the point of ^ e with the 
same abscissa p2.d as Fd. It is clear that the segment A e F e 
passes below the point M e , while A d F d passes through Md. 

This implies that there exists a value p x G [pi,Pi.d] of 
p such that, if we denote X e = (p x ,h(e — > p x )) and 
= (Pa) - ► Pa))> tnen tne segments X e M e and X^Mc; 
intersect the curves < j? e and respectively, at points Y e and 
Yd with the same abscissa p y G [p2,d,P3]- Hence X e and X d 
are the projections of a point X G c 6 \ and Yg and Y d are 
the projections of a point Y G ^ and the segment XY goes 
through M.a 

C. Proof of Proposition [77] 

Let U belong to {0, 1} (whether that is optimal or not 
is still an open problem), and denote q = Pr(U = 0). 
Since X is also binary, the channel between U and X can 
be completely characterized by two transition probabilities. 
Denote a = Pr(X = 1\U = 0) (this implies Pr(X = 0\U = 
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"( x ) = q + 1 ~ g 1 = 

9 x(l - x) + n(a) x(l-x)+n(/3) x(l - x) + ^(7) 

x(l - x)[fi{j) - gA t(g) - (1 - g ) M (/?)] + //(7)(g/x(/3) + (1 - g)/x(a)) - rfifi , 

(a:(l-x)+/i(«))(x(l-a ; )+/,(/3))(a ; (l-a ; )+/x(7)) ^ ' 



0) = 1 - a), and /3 = Pr(X = 0\U = 1) (this implies 
Pr(X = l|{/= 1) = 1 -/3). 

Note that d47b and d48l can be rewritten as: 

R e < [H(Z\X)-H(Y\X)] - 
-[q(H(Z\U = 0)-H(Y\U = 0)) + 
+(l-q){H{Z\U = l)-H(Y\U=l))} (57) 

and 

Rc < H{Z) - [qH{Z\U = 0) + (1 - q)H(Z\U = 1)], (58) 
With the notation above, the upper bounds can be written as 

R e< u{l,a,P) < [h(8)-h(e)]- 
-[q(h(a -^6)- h(a ->■ e)) + 
+ (1 -q)(h(p^ S) -h(J3 ->e))] (59) 

and 

Rc,u{l, <*, 0) < h(qa + (1 - g)(l -0)^8)- 

~[qh(a ^ &) + (1 - q)h{(3 ^ 5)], (60) 

where a — > 6 stands for a(l — 6) + 6(1 — a) = a + 6 — 2a6 
as before, and we emphasized the dependence of the upper 
bounds upon the triple (q,a,(3). 

In what follows we take a contradictory approach. Consider 
any triple (q, a, (3) and denote 

R x {q, a,0) = l- [qh(a 6) + (1 - g)/i(/3 -> *)]. (61) 

We show that if we replace this triple by the triple (0.5, 7, 7) 
(corresponding to a uniform distribution of U over {0, 1} and 
a BSC between U and X), such that 

R x (q,a,P) =i4(0.5,7,7) (62) 

(we also prove that such a 7 exists always), we have 
Re !U (q,a,p) < i?e : „(0.5,7,7) and R c . u (q,a,(3) < 
R c>u (0.5, 7, 7). Therefore, a triple (q,a,f3) for which either 
g 7^ 0.5 or a ^ /3 holds cannot be optimal, and hence the last 
part of our theorem is proved. 

Note that R x (q,a,(3) = R x (0.5,j,-f) translates to 

qh(a^S) + (l-q)h(j3^6) = h(~/^d), (63) 

Since qh(a -*■ 6) + (1 - g)/i(/3 -*• 5) 6 [0, 1], the binary 
entropy function is a bijection over [0, 0.5] and f(j) = 7 — > 5 
with 5 e (0, 0.5) is also a bijection over [0, 0.5], we can always 
find a 7 that satisfies (|63]l. Since h([qa + (1 - <j)(l - /?)] -» 
5) < 1 and h{[0.5j + 0.5(1 - 7)] -^6) = h{0.5 —> 5) = it 
is straightforward to see that 

R c ,u{q,a,P) < R x (q,a,P) = 
= J4(0.5 )7 ,7) = ii c ,„(0.5,7,7). (64) 



We can now write 

i?e,«(0.5,7,7) - R &tU (q,a,/3) = 
= h(i -> e) - g/i(o e) + (1 - g)/i(/3 -> e). (65) 

Define g(a;) = ^(7 — * x) — qh(a — > + (1 — q)h((3 — » x). 
From d62l we have that g(<5) = 0, and it is straightforward 
to see that (?(0.5) = 0. Since we only discuss the case when 
S < 0.5, we now know that g(x) has two different zeros over 
the interval [0,0.5]. We need to show that for any e < if we 
have g(e) > 0. 

Denote g'(x) = d9 }f > and g"{x) = d the first and sec- 
ond order derivatives of g. With the notation fi(x) = r^z^h , 
we can write g" as in d66b . 

Since the denominator of g" is always positive, the equation 
g" (x) = reduces to a second degree equation in x. Thus g" 
has at most two real zeros, which are symmetric with respect 
to the point 0.5, and hence at most one zero (denote it by z") in 
the interval [0,0.5]. Moreover, since fi(x) is a strictly convex 
function of x, the coefficient — [^(7) — <zM a ) ~ (1 ~ 
of x 2 in the numerator of g" is strictly positive. This implies 
that g"{x) > for x £ [0,z"]. 

Now suppose that g(x) had more than two zeros on the 
interval [0,0.5]. Then g'(x) would have at least two zeros on 
the open interval (0, 0.5), and hence a total of three zeros in 
[0,0.5] (it is straightforward to check that <?'(0.5) = 0). Thus 
g" would need to have at least two zeros in (0, 0.5). But we 
have already shown that this is impossible. Therefore, g(x) 
has only two zeros in the interval [0, 0.5] (these are 6 and 
0.5). 

As a consequence, g' has at least one zero in (<5, 0.5) - 
denote this zero by z' . Since g' has a zero in 0.5, this implies 
that the zero z" of g" is in the interval (z 1 , 0.5). We can now 
write 5 < z' < z". We already know that g"(x) > on 
[0, z"), thus g'(x) is strictly increasing on [0, z'], and since 
g'(z') = 0, this means that g'(x) < on [0,6]. But since 
g{6) = 0, this means that for any e < 8 we have g(e) > 0. 
Our argument is now complete. □ 
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